Question

我想看看是否已创建用户名... 我找到了，mysql_num_row（）或者它是什么，似乎不起作用，如果我使用它，我得到一个T_STRING错误... 继承我的代码，说它应该有效，但它没有，为什么？：

/*simple checking of the data*/
if(isset($_POST['login']) && isset($_POST['pass']) && ($_POST['pass'] == $_POST['confirm']))
{

/*Connection to database logindb using your login name and password*/
$db=mysql_connect('localhost','user','pass') or die(mysql_error());
mysql_select_db('db');

/*additional data checking and striping*/
$_POST['login']=mysql_real_escape_string(strip_tags(trim($_POST['login'])));
$_POST['pass']=mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

mysql_query("INSERT INTO profiles SET username='{$_POST['login']}',password='{$_POST['pass']}'",$db);

/*If the database has been updated*/
if(mysql_affected_rows() > 0)
{
    $_SESSION['login'] = $_POST['login'];
    $login='Welcome '.$_SESSION['login'];
}
else
{
    $login= 'This login name already exists.';
}

mysql_close($db);

}

我做了showdev建议，但得到一个错误：

新代码：

/*additional data checking and striping*/
$_POST['login']=mysql_real_escape_string(strip_tags(trim($_POST['login'])));
$_POST['pass']=mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

mysql_query("INSERT INTO profiles SET  username='{$_POST['login']}',password='{$_POST['pass']}'",$db);

/*If the database has been updated
if(mysql_affected_rows() > 0)
{
$_SESSION['login'] = $_POST['login'];
$login='Welcome '.$_SESSION['login'];
}
else
{
$login= 'This login name already exists.';
}*/
$sql="SELECT COUNT(*) FROM `profiles` WHERE `username`='$username' AND `password`='$password' LIMIT 0,1;"
$q=mysql_query($sql) or die(mysql_error());
$r=mysql_fetch_row($q);
if ($r[0]==0) {
   // insert new user
    } else {
   // user already exists
    }

mysql_close($db);

}

错误：

解析错误：语法错误，第34行/home/teachert/public_html/php/register.php中的意外T_VARIABLE

更新：

新守则：

mysql_query("INSERT INTO profiles SET `username`='{$_POST['login']}',`password`='{$_POST['pass']}' ON DUPLICATE KEY UPDATE `username`='{$_POST['login']}'",$db);
/*If the database has been updated*/
if(mysql_affected_rows() == 1)
{
    $_SESSION['login'] = $_POST['login'];
    $login='Welcome '.$_SESSION['login'];
}
else
{
    $login= 'This login name already exists.';
}

mysql_close($db);

}

仍然无效

Answer 1

您可能需要SELECT用户名，以查看它是否已存在于INSERT之前。像这样：

$login=mysql_real_escape_string(strip_tags(trim($_POST['login'])));
$pass=mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

$sql="SELECT COUNT(*) FROM `profiles` WHERE `username`='$login';"

$q=mysql_query($sql) or die(mysql_error());
$r=mysql_fetch_row($q);

if ($r[0]==0) { // count is 0, no matching users

   // insert new user
   $sql="INSERT INTO `profiles`
           (`username`,`password`) VALUES ('$login','$pass');";
   mysql_query($sql) or die(mysql_error());

   $_SESSION['login'] = $login;
   $login='Welcome '.$_SESSION['login'];

} else {

   // user already exists
   $login= 'This login name already exists.';

}

另外，考虑PDO，因为mysql_ *命令已被折旧。

Answer 2

检查用户是否已存在，并使用sanitize函数来防止注入

function sanitize($string) {
  $string = mysql_real_escape_string(strip_tags(trim($string)));
  return $string;
}

function user_exists($username) {
  $username = sanitize($username);
  return (mysql_result(mysql_query("SELECT COUNT(`username`) FROM `profiles` WHERE `username` = '$username'"), 0) == 1) ? true : false;
}

if (user_exists() === true) {

} else {
  $login= 'This login name already exists.';
}

如何检查现有用户名

2 个答案: